Amazon Fire TV and the ADB.Miner malware — what you need to know

There's an old Android-based malware making the rounds — but you can avoid it by not doing anything silly with your Amazon Fire TV.

Do you know what ADB means? Have you ever flirted with unknown sources? Do you ever read scary headlines about malware and viruses on Android-based devices and think "My God! What kind of world am I raising my children in?"

OK. Let's back up. There's a bit of Android-based malware — please don't call it a virus — making headlines this week. Again. It's called ADB.Miner and can run on Amazon Fire TV and mine for cryptocurrency in the background, basically rendering an already-not-too-powerful piece of hardware fairly worthless. That's not good.

But isn't the sort of thing that just happens. You — that is, the user — have to do a few things to get infected in the first place.

Repeat: Your Amazon Fire TV Stick or Amazon Fire TV should not be hit with this malware simply because it exists.

What is ADB.Miner, and why is it so scary?

The malware in question — dubbed "ADB.Miner" because that's its package name — is one of those things that mines for cryptocurrency in the background using your hardware, unbeknownst to you.

It's mostly been localized to China, which isn't all that surprising given the nature of things. China is outside the Google Play and Amazon ecosystems — both of which have pretty stringent checks for this sort of thing.

@GossiTheDog inspired me to take a look back at the ADB.Miner worm, which I've been fingerprinting on February. It seems that it lives and it feels pretty well. I've checked out two days (4th, 5th of June) - about 40 000 unique IP addresses. I'll provide some deep analysis soon. pic.twitter.com/HZcTkMPW5o

That indeed looks scary — but it's not, really. Especially if you only care about Fire TV devices. There's a lot of Android out there. A lot more than we usually appreciate. And a lot of it is in China.

If you go hunting for the ADB.Miner malware on your Fire TV device (it's not visible like other apps) you'll end up finding something called "Test," and with a package name of com.google.time.timer. That's how you know you've been bit.

So what's going on with ADB.Miner, then?

Here's the deal: Like virtually every other piece of Android malware, infection requires the user to install an infected application. And that requires the user to have turned off a couple of safeguards. In this case, we're talking about turning on the "unknown sources" option for the Fire TV device, which allows apps from outside a predetermined app store to be loaded. (There's nothing inherently wrong with that, unless you end up installing an infected application from outside a predetermined app store — ya know, one that checks for malware first.)

ADB.Miner is an Android thing, not a Fire TV thing. It's just that Fire TV is inexpensive and tweakable.

And this one also requires ADB access — that's short for Android Debug Bridge — which allows (among other things) apps to be installed via a command line. Where things get a little tricky is that with Fire TV enabling ADB also means you've enabled ADB over Wifi — it opens up Port 5555. (You can sniff for yourself and see, if you'd like.)

If a Fire TV device is infected, it'll be able to sniff out other Fire TV devices on your network that also have ADB access enabled (because it scans for the port that ADB uses). Then it'll infect that other device.

ADB not enabled? Port 5555 isn't enabled. And the malware can't spread itself to other devices.

Repeat: By default on Fire TV, the "Unknown Sources" option is turned off. And ADB access is turned off. So Port 5555 is closed.

ADB access and Unknown Sources on Amazon Fire TV. You'll want to leave these off unless you know what you're doing. (And if you know what you're doing you'll leave these off most of the time anyway.)

Why we're not overly worried about ADB.Miner, and what you can do about it

Why is ADB.Miner making waves again? That's not entirely clear. It ramped up earlier this year, then kind of died out. But it's begun to surge again.

https://twitter.com/mdrndad/status/1006563250253828098

And like virtually all other Android malware, it only happens because multiple safety nets have been ignored. Don't allow unknown sources. Don't enable ADB access unless you absolutely need it. (And turn it off when you're done.) Don't allow connections from other devices unless you're 100 percent sure you're the one trying to connect. (That's an additional check built into Android for connecting via ADB.)

And don't buy "cracked" Amazon Fire Sticks. You have no idea what people have done to them.

If you have a Fire TV Stick or Fire TV that has been infected, you've got a few options. One is to hard-reset the thing. The other is to take that $39 stick and throw it in the trash can and think about what you've done. (We've reached out to Amazon to see if they have anything to say, but, frankly, this is an Android thing. Not really a Fire TV thing.)

But the best thing to do? Try to stay out of this sort of trouble in the first place.